Windows Phone 7 piracy materializes with FreeMarketplace

A tool enabling any Windows Phone 7 application to be installed without …

A proof-of-concept application, FreeMarketplace, that allows any Windows Phone 7 application to be downloaded and installed free of charge has been developed. Though Marketplace applications are protected by DRM, FreeMarketplace removes the protection, enabling the applications to be used without charge.

It was discovered shortly after the phone platform went on the market that the raw installation packages, "XAP" files, could be freely downloaded; the Zune client software downloads XML files with all the package locations to enable application browsing and installation, and both this XML and the XAPs are served without restriction.

Though this poses a reverse engineering risk—access to the XAPs enables anyone to examine the compiled code—this didn't immediately enable piracy. The downloaded XAPs could not be successfully deployed, even on unlocked handsets (whether unlocked officially, by registered developers, or unofficially, using ChevronWP7).

A couple of days ago, a post came, and went, on the XDA-developers forum outlining how to take one of these XAPs and modify it to allow it to deploy and run. Though the forum administrators deleted the post, it made it clear that developers were actively looking at ways to defeat the DRM and pirate applications.

Inspired by this, and seeking to pressure Microsoft to address problems with the protection mechanisms, a developer created an application to modify the XAPs in such a way as to allow them to be deployed—an application that allows piracy of any application on the store. The developer has not distributed the application, or described how it works in any detail, as his intention is to demonstrate a problem rather than promote piracy; nonetheless, he says that the application took only six hours to develop, meaning that widely distributed piracy applications can't be far behind.

The Windows Phone 7 Marketplace is growing strongly; it hit 4,000 applications at the start of last week, and it's now up to 5,000. This strong support comes in spite of continued questions about the number of people actually using the platform, showing just how successful Microsoft has been at courting developers and providing an attractive development ecosystem. The spectre of piracy is, however, sure to make some of those developers second-guess their decision to target the platform. Though piracy is relatively abundant on the iPhone and Android, those platforms remain attractive thanks to their huge numbers of users.

Microsoft has been informed of the piracy application, but has not yet responded. The company's response to the earlier discovery that the XAPs could be downloaded was for many a little disappointing; to avoid reverse engineering, it recommended the use of code obfuscation software (and for a limited period, an obfuscator is freely downloadable), but this is hardly a robust solution. Now that the XAPs can be used not just for reverse engineering but also for piracy, a stronger response is likely, and certainly desirable. But what form that will take, and when it will ship, is as yet unknown.

68 Reader Comments

The problem is the improved drm will most likely simply look for the exact method the program uses and block it not actually fix the problem. Or maybe the problem is thinking there is a good DRM solution.

Mmm, I love seeing DRM crumble. Not because I support piracy, but because I hate developers that are dicks and assume users and paying customers are the enemy and should be treated as such. That and I like my property to be under my control, as opposed to this disgusting control-freak DRM creep we're seeing in the mobile space.

I wouldn't classify the sort of protection on App marketplaces in the same "evil DRM" category that, say, Ubisoft's DRM falls into. :\

Wiiggin, DRM is evil, regardless of why it is being deployed. The same goes for "licencing" of software.

We are heading into an era, where the content creators do not want you to own any digital content whatsoever. They want to be able to charge you for every time you consume content of any kind. They want to charge you extra for going to websites that are not part of their systems.

Consumers need to have their voices heard that the internet is toll free and neutral to all parties.

I've yet to buy an app on the WP7 Marketplace because I've yet to find one that does anything better than the free alternative. I have nothing against buying them - MS is really good at keeping track of purchase history, so if I accidentally delete it or the phone bricks I can redownload the app anytime. It's the same system as the Xbox LIVE Arcade, really, and I've used that for years with no trouble.

This is DRM that doesn't get in the way of anything but piracy - I have no issues with it. DRM that cripples system performance or is a hassle to paying customers I'm against. MS has yet to ascribe to that model. I doubt they will.

Net neutrality is so incredibly different I'm surprised you got there so quickly.

WTF? Programmers who have apps on the marketplace are "dicks" because they don't want their apps ripped off for free?

This isn't an issue of you owning software and evil developers putting in DRM to make you buy the same content for each platform, it is an issue of pirates able to download apps from Microsoft for free and due to the nature of .NET, it is easily disassembled unless obfuscated.

I've actually seen one of my free apps basically copied and being sold as a paid app on the marketplace. I suspect they may have used this method to download my app, disassemble it and make minor changes and upload it as a paid app. Otherwise they copied my app pretty closely.

disclosure: I'm a WP7 developer with apps on the Marketplace and am pissed about this.

This is DRM that doesn't get in the way of anything but piracy - I have no issues with it. DRM that cripples system performance or is a hassle to paying customers I'm against. MS has yet to ascribe to that model. I doubt they will.

It could be construed as hassling paying customers if they don't want to be corralled and herded through Microsoft's store.

I understand, arguments against user-controlling DRM are not welcome on Ars (especially not in the Apple or Microsoft categories,) but at some point it has to be noted that DRM is always designed to be used against you, first and foremost.

PlunderBunny wrote:

And yet, when there's no DRM, it appears to be the users (or, at least, 90% of them) that are the dicks. Can you really blame developers for wanting to be paid?

I can't blame them, but I'm hard pressed to support their demands for user-is-the-enemy systems, especially if I own the hardware. And any argument for system level DRM on the mobile front is equally applicable to your PC (which, since it's not locked down, makes you a dirty, evil pirate.)

I hear you, screaming "buy something else," but the pro-DRM camp doesn't want me to be able to buy anything else.

This is DRM that doesn't get in the way of anything but piracy - I have no issues with it. DRM that cripples system performance or is a hassle to paying customers I'm against. MS has yet to ascribe to that model. I doubt they will.

It could be construed as hassling paying customers if they don't want to be corralled and herded through Microsoft's store.

I understand, arguments against user-controlling DRM are not welcome on Ars (especially not in the Apple or Microsoft categories,) but at some point it has to be noted that DRM is always designed to be used against you, first and foremost.

PlunderBunny wrote:

And yet, when there's no DRM, it appears to be the users (or, at least, 90% of them) that are the dicks. Can you really blame developers for wanting to be paid?

I can't blame them, but I'm hard pressed to support their demands for user-is-the-enemy systems, especially if I own the hardware. And any argument for system level DRM on the mobile front is equally applicable to your PC (which, since it's not locked down, makes you a dirty, evil pirate.)

I hear you, screaming "buy something else," but the pro-DRM camp doesn't want me to be able to buy anything else.

Wow, this is so not the case. You've made it clear that you don't own a WP7 handset, so why don't you stick to things you know? The DRM on WP7 is completely un-obtrusive. You never even know it's there unless you are actively trying to pirate apps. As a developer, I wouldn't have written any software what-so-ever for WP7 if Microsoft couldn't provide me at least some protection from my stuff getting ripped off. They put in a system that is nigh-on undetectable to non-pirates, and for that, I commend them. As the article suggests, it seems there are some weak points in the current implementation, and I hope those are plugged up in a way that doesn't hurt consumers.

You know what does hurt paying consumers? Pirates. If I can't make a profit off my WP7 app that is currently in the store, I'm not going to continue improving it. Currently I'm making enough cash to keep development moving and keep adding features for paying customers. If it gets to a point where I'm getting no income from my hard work, because of piracy, I'll stop developing for the platform. You may say that DRM is directed at the consumer, but I say that it is designed to protect both the consumer and the developer.

Without any kind of DRM at all, do you really think that WP7 would have gotten 5k apps in the first two months of availability?

?You've made it clear that you don't own a WP7 handset, so why don't you stick to things you know? The DRM on WP7 is completely un-obtrusive.

I criticize DRM systems because not once have they worked for the user. You might argue that Steam does, but at the same time it doesn't demand that I surrender control of my computer to some 3rd party for access, as if I was some dirty, unworthy "proto-criminal." Your specious arguments don't hold water, and reek of RIAA/MPAA/BSA "one download = one lost sale" logic. Sadly, said bad logic and lock-down is spreading. But because I don't use it I can't criticize it. Right.

And I wouldn't care about whatever lock down methods YOU used for your App, but the Microsoft method relies totally on WP7 only running software signed by Microsoft. And I don't want to see such a form of "computing" to spread.

The tool's developer hopes that this will spur the company into improving its DRM protection.

Always love justifications like this. "Oh, I robbed this bank in the hopes the bank will see how lax it's security is and improve it. No really, I'm a good guy here. I'm just showing them their flaws...and keeping the money for my time and effort. It's really for their benefit. No, really".

That assertion is so outrageous, I want to hear why exactly you feel like that. Or is this another one of those irrational complaints that live simply on hearsay without ever being substantiated?

It's outrageous? Show me how you load software on a WP7 device without going through Microsoft's store? Last I checked the ChevronWP7 was the only means by which you could do so without paying Microsoft a $99 fee for a key that only works on your phone (and potentially a handful of other handsets.) But if you're aware of another way, then I'd love to know.

Oh, and why is being opposed to corporate control-freakery irrational?

The tool's developer hopes that this will spur the company into improving its DRM protection.

Always love justifications like this. "Oh, I robbed this bank in the hopes the bank will see how lax it's security is and improve it. No really, I'm a good guy here. I'm just showing them their flaws...and keeping the money for my time and effort. It's really for their benefit. No, really".

Way to not even read the article. The application is only for proof of concept. The author is not distributing the application in any format (and likely it would have never been created had Microsoft actually responded to concerns raised earlier). So your analogy is completely specious.

I criticize DRM systems because not once have they worked for the user. You might argue that Steam does, but at the same time it doesn't demand that I surrender control of my computer to some 3rd party for access, as if I was some dirty, unworthy "proto-criminal." Your specious arguments don't hold water, and reek of RIAA/MPAA/BSA "one download = one lost sale" logic. Sadly, said bad logic and lock-down is spreading. But because I don't use it I can't criticize it. Right.

And I wouldn't care about whatever lock down methods YOU used for your App, but the Microsoft method relies totally on WP7 only running software signed by Microsoft. And I don't want to see such a form of "computing" to spread.

So Steam DRM is okay but Microsoft requiring a cert isn't? The double standard there is pretty funny...

Heck, you aren't surrendering anything to Microsoft on the WP7 phone either so by your logic it is just fine right?

But the stupid DRM arguments aside, this isn't a case of "one download = one lost sale" this is downloads are wide open from the source when they shouldn't be. This isn't like someone bought the app and pirated it, this is Microsoft left the doors to the shop unlocked and pirates went in, downloaded the whole catalog of apps and are talking about making a torrent of all the apps...

So Steam DRM is okay but Microsoft requiring a cert isn't? The double standard there is pretty funny...

On WP7, no cert = no run. Steam, however, doesn't assume control over my hardware in exchange for executing software.

Quote:

Heck, you aren't surrendering anything to Microsoft on the WP7 phone either so by your logic it is just fine right?

To be fair, you opted at the start to surrender control to Microsoft by buying it. I don't like it because of what it represents down the line, especially if they feel they can get away with it.

Quote:

this is downloads are wide open from the source when they shouldn't be. This isn't like someone bought the app and pirated it, this is Microsoft left the doors to the shop unlocked and pirates went in, downloaded the whole catalog of apps and are talking about making a torrent of all the apps...

Way to not even read the article. The application is only for proof of concept. The author is not distributing the application in any format (and likely it would have never been created had Microsoft actually responded to concerns raised earlier). So your analogy is completely specious.

No, it's right on the mark. That you don't get that speaks volumes. Go back and read the article again. Slower this time. Try not to skim.

Way to not even read the article. The application is only for proof of concept. The author is not distributing the application in any format (and likely it would have never been created had Microsoft actually responded to concerns raised earlier). So your analogy is completely specious.

No, it's right on the mark. That you don't get that speaks volumes. Go back and read the article again. Slower this time. Try not to skim.

The developer has not distributed the application, or described how it works in any detail, as his intention is to demonstrate a problem rather than promote piracy;

Microsoft has been informed of the piracy application, but has not yet responded. The company's response to the earlier discovery that the XAPs could be downloaded was for many a little disappointing; to avoid reverse engineering, it recommended the use of code obfuscation software (and for a limited period, an obfuscator is freely downloadable), but this is hardly a robust solution.

Maybe you should take your own advice. Showing how an exploit works is not analogous to utilizing that exploit.

Wow, this is so not the case. You've made it clear that you don't own a WP7 handset, so why don't you stick to things you know? The DRM on WP7 is completely un-obtrusive. You never even know it's there unless you are actively trying to pirate apps.

Really, so I can load up an app I've downloaded directly from the developer's website and loaded onto my phone?

Oh wait, maybe you're blowing smoke. It's primarily to enable a store lock-in. There are other ways - like an auth API - to do this, which DON'T involve a store lockin.

Quote:

Without any kind of DRM at all, do you really think that WP7 would have gotten 5k apps in the first two months of availability?

Wow, in 2 months they've got a whole quarter of the Android market's monthly app growth! Without requiring a store lockin, shit yes they'd be more apps - and more again if they let more people develop for it (they deliberately and for no good technical reason block many people from downloading the SDK) etc. etc.

It's outrageous? Show me how you load software on a WP7 device without going through Microsoft's store?

It's outrageous that you are opposed to this on a locked device. Don't like it, don't buy it. Nobody will force you to buy a WP7 or an iPad or any of their software. What's it to you how others choose to do their business?

Quote:

Oh, and why is being opposed to corporate control-freakery irrational?

You answer my question with a question of your own. Not a good sign. Especially because you now assume being opposed to corporate control (and this in itself would deserve a definition) should be something everyone should be opposed to on principle and does not require any explanation.

Why? Why are you opposed to it exactly? What's exactly your problem with Microsoft Store and Microsoft DRM for devices?

Without any kind of DRM at all, do you really think that WP7 would have gotten 5k apps in the first two months of availability?

Wow, in 2 months they've got a whole quarter of the Android market's monthly app growth! Without requiring a store lockin, shit yes they'd be more apps - and more again if they let more people develop for it (they deliberately and for no good technical reason block many people from downloading the SDK) etc. etc.

Huh? Apple's marketplace is even bigger than Android's, and they are as locked in, if not more so, than WP7. The lack of good DRM is a problem for developers. You've even got Rovio saying that you can't make money off of the Android marketplace from paid apps. They have to be ad based. I'll save you the effort of the Google search, here's the link... http://technmarketing.com/iphone/peter- ... nd-palmhp/ He never explicitly states the reason why you can't make money on Android, but there are really only two options. Android users are cheap, or they pirate like crazy.

DRM is a fact of life. People aren't going to spend time making software if someone can easily pirate it. As long as DRM is unobtrusive, what does it matter to you? -- other than a hypothetical philosphical standpoint that really doesn't affect real world usage, that is. DRM like steam, Apple, Kindle/Nook, WP7 etc is almost completely unobtrusive. You can use the software on multiple devices, so there's no real hassle for the end user.

He never explicitly states the reason why you can't make money on Android, but there are really only two options. Android users are cheap, or they pirate like crazy.

Assumptions. All you have is assumptions.

Quote:

DRM is a fact of life. People aren't going to spend time making software if someone can easily pirate it.

Really? So why do people make non-DRM PC and NDS games? Oh wait, you're blowing smoke. DRM is a choice with an associated philosophy of control.

Quote:

As long as DRM is unobtrusive, what does it matter to you? -- other than a hypothetical philosphical standpoint that really doesn't affect real world usage, that is. DRM like steam, Apple, Kindle/Nook, WP7 etc is almost completely unobtrusive.

Again, could download software, install it and use it just like I can normal software on the PC? If no, then it's NOT unobtrusive. A market lock-in is equivalent to AOL's walled garden, not "unobtrusive". You're arguing for the supremacy of the model of the early 90's, but this time without the option of the other providers offering a competing model - the open model - which beat AOL's (and they're STILL bleeding subscribers today). You're holding up a corporatist banner, no more and no less.

There are non-obtrusive ways to do that kind of DRM. What you're describing isn't. Android's model is something I can support, but the others...

He never explicitly states the reason why you can't make money on Android, but there are really only two options. Android users are cheap, or they pirate like crazy.

Assumptions. All you have is assumptions.

Quote:

DRM is a fact of life. People aren't going to spend time making software if someone can easily pirate it.

Really? So why do people make non-DRM PC and NDS games? Oh wait, you're blowing smoke. DRM is a choice with an associated philosophy of control.

Quote:

As long as DRM is unobtrusive, what does it matter to you? -- other than a hypothetical philosphical standpoint that really doesn't affect real world usage, that is. DRM like steam, Apple, Kindle/Nook, WP7 etc is almost completely unobtrusive.

Again, could download software, install it and use it just like I can normal software on the PC? If no, then it's NOT unobtrusive. A market lock-in is equivalent to AOL's walled garden, not "unobtrusive". You're arguing for the supremacy of the model of the early 90's, but this time without the option of the other providers offering a competing model - the open model - which beat AOL's (and they're STILL bleeding subscribers today). You're holding up a corporatist banner, no more and no less.

There are non-obtrusive ways to do that kind of DRM. What you're describing isn't. Android's model is something I can support, but the others...

If you can think of another reason why you cannot make decent money off a highly popular program with millions of downloads on a very popular platform, I'd love to hear it.

*shrug* If you get a new phone, redownload it from the Marketplace. If you delete it, redownload it. It's not like you can run WP7 apps on a Nokia phone, or an iPhone, or an Android phone anyway. If you have a Windows Phone, you have Windows marketplace. Again, your argument is philosophical/theoretical with no real world implication.

And the presence or absence of DRM is not the same as the ability or lack to sideload apps. From what you're describing, you have no problem with DRM. You just have a problem with a closed environment.

This isn't an issue of you owning software and evil developers putting in DRM to make you buy the same content for each platform, it is an issue of pirates able to download apps from Microsoft for free and due to the nature of .NET, it is easily disassembled unless obfuscated.

So? Obfuscators are free. Any developer putting a .NET product on the web, without Obfuscation, is a fool. What you describe happening to your app has happened MANY times in the past. Those who don't learn from history are doomed to repeat it.

If you want your app to be in the public domain, GPL it. The FSF lawyers will be on your side then.

microlith wrote:

the Microsoft method relies totally on WP7 only running software signed by Microsoft. And I don't want to see such a form of "computing" to spread.

Actually, it DID spread ... from Apple.

tuxRoller wrote:

I truly hope this shows content owners that Android is not particularly vulnerable to piracy. This is supposedly a reason given why Android wouldn't get a Netflix app, but W7 would.

I thought the problem was that Silverlight wasn't available for the Android.

If you can think of another reason why you cannot make decent money off a highly popular program with millions of downloads on a very popular platform, I'd love to hear it.

They made their decision based on an analysis of the market as it was when they began the port, which was quite a bit smaller than now - Android has taken time to gain momentum - and chose a business model of ad-supported. This does not mean they'd make the same analysis today, or that they have actually done a for-pay release in the Android marketplace.

*shrug* If you get a new phone, redownload it from the Marketplace. If you delete it, redownload it. It's not like you can run WP7 apps on a Nokia phone, or an iPhone, or an Android phone anyway. If you have a Windows Phone, you have Windows marketplace. Again, your argument is philosophical/theoretical with no real world implication.

Quote:

Besides, Android HAS DRM.

No, that's the Android marketplace, not Android itself.

Quote:

And the presence or absence of DRM is not the same as the ability or lack to sideload apps. From what you're describing, you have no problem with DRM. You just have a problem with a closed environment.

I have a problem with people running into issues. Now, with a mobile I think it's fair to assume a connection when you activate software on a device and if that means it's transparent to them, great. But under UK/EU law, no rights are lost just because it's software, except a VERY few specially enumerated. Unless I can pass the software to a friend (and this is, again, trivial with a deacent auth API), bam, problem - and moreover, it's illegal to stop me from doing so.

Wiiggin, DRM is evil, regardless of why it is being deployed. The same goes for "licencing" of software.

Is DRM evil if it is preventing your doctor from forwarding your medical records to another unauthorized entity? Is DRM evil when it prevents a user in a company that has your PII from storing it in an inadequate form in a removable drive?

DRM is not good or evil. It is good when it is used to protect the information owned by someone from being abused or leaked by another person. It is evil when it prevents someone that owns somethig from doing whatever they want with what they own. And that's the main problem with media: the law says you don't OWN it. That's what should be fixed. When you buy a song, you should own that instance of the song, and be able to do whatever you want with it (even if it is sending it to a third party and the third party does not own the song so it would be illegal for them to play it). The concept of "licensing" content is broken.

You know, everyone has at some point pirated a game or a movie or an album. The difference between being an arsehole and a regular person is that a regular person accepts they're wrong to do so, rather than making up bullshit excuses in favour of it.

As a developer I simply see this as another reason to avoid Microsoft Phone 7 as a target platform for developing Apps.

dayznfuz wrote: "He never explicitly states the reason why you can't make money on Android, but there are really only two options. Android users are cheap, or they pirate like crazy."

I've seen figures of more than 95% piracy rates on Andriod platform, which is why Peter Vesterbacka, creator of the Angry Birds, said that "nobody has been successful selling content on Android" not even the most successful mobile game ever. Even when they give it away for free but fill it with adverts (because they know it's pirated to death on Android) he said they still only make a tiny amount of money.

It's outrageous that you are opposed to this on a locked device. Don't like it, don't buy it.

Yes, "don't like it, don't buy it." But nowhere in there is "don't criticize it" valid.

Quote:

Nobody will force you to buy a WP7 or an iPad or any of their software. What's it to you how others choose to do their business?

I'm concerned that this shitty control-freak attitude will spread, like a disease.

Quote:

You answer my question with a question of your own. Not a good sign.

So being annoyed at companies acting like control freaks is irrational, but you won't say why.

Quote:

Especially because you now assume being opposed to corporate control (and this in itself would deserve a definition) should be something everyone should be opposed to on principle and does not require any explanation.

Simple. A corporation has a vested interest in denying you the ability to act freely with your property for the purposes of herding you through a store they control fully. They decide who gets to participate in the market, and what content appears. They also act aggressively, building a system from the ground up that denies everyone who uses it the ability to operate independently of this store.

Quote:

Why? Why are you opposed to it exactly? What's exactly your problem with Microsoft Store and Microsoft DRM for devices?

I don't give a damn about the store. But I do care that Microsoft, like Apple, are trying to lock every user of their platform in and restrict what they can do. If it was possible, like on Android, to load applications without having to go through the store or pay into the developer program, I wouldn't care.

But you can't. And I don't see why this model is in any way accepted in the mobile space when it would be fought tooth and nail on the desktop. Or maybe it wouldn't, and in a few years you'll be accusing everyone who jailbreaks their PCs/Uses Linux of being irrational.

Great, more fearmongering. The video doesn't really tell anything apart from the fact that he was able to to intercept search requests + download a free xap file.

From the discussions I've read, its not as simple as you've made it out in the article. Reverse engineering even non obfuscated simple apps is a pain, let alone large and complex applications that have been obfuscated with good tools.

At least wait for MS reply before scaring off the developers, thank you.

Great, more fearmongering. The video doesn't really tell anything apart from the fact that he was able to to intercept search requests + download a free xap file.

Even free XAP files can't be deployed to handsets without modifying them.

Quote:

From the discussions I've read, its not as simple as you've made it out in the article. Reverse engineering even non obfuscated simple apps is a pain, let alone large and complex applications that have been obfuscated with good tools.

No, reverse engineering .NET applications (including Silverlight programs as are used on Windows Phone 7) is generally pretty easy; Reflector does a great job for non-obfuscated binaries.